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Abstract — Multiple-input multiple-output (MIMO) techniques 
allow for multiplexing and/or diversity gain, and will be widely 
deployed in future wireless systems. In this paper, we propose a 
MIMO-assisted channel-based authentication scheme, exploiting 
current channel estimation mechanisms in MIMO systems to 
detect spoofing attacks with very low overhead. In this scheme, 
the use of multiple antennas provides extra dimensions of channel 
estimation data, and thus leads to a "security gain" over single- 
input single-output (SISO) systems. We investigate the security 
gain of MIMO systems in several system configurations via 
simulations for a specific real indoor environment using ray- 
tracing software. We also discuss the effect of increasing the 
number of transmit and receive antennas on the security gain 
and contrast that to the diversity/multiplexing gain. 

Index Terms — MIMO, channel-based authentication, spoofing 
attacks. 



I. Introduction 

Wireless networks have become pervasive and essential, 
but most wireless systems lack the ability to reliably identify 
clients without employing complicated cryptographic tools. 
This problem introduces a significant threat to the security 
of wireless networks, since intruders can access wireless net- 
works without a physical connection. One serious consequence 
is that spoofing attacks (or masquerading attacks), where a 
malicious device claims to be a specific client by spoofing 
its MAC address, becomes possible. Spoofing attacks can 
seriously degrade network performance and facilitate many 
forms of security weakness, for instance, if attacking control 
messages/ management frames smartly, the intruder can cor- 
rupt services of legal clients [l]-[3]. 

It is desirable to conduct authentication at the lowest pos- 
sible layer, and thus a channel-based authentication approach 
was proposed in [4], exploiting the fact that, in rich multipath 
environments typical of wireless scenarios, channel responses 
are location-specific. More specifically, channel frequency re- 
sponses decorrelate from one transmit-receive path to another, 
if the paths are separated by the order of an RF wavelength or 
more [5]. Channel-based authentication is able to discriminate 
among transmitters with low system overhead, since it utilizes 
existing channel estimation mechanisms. 

This prior work [4] on physical layer authentication has 
focused on single antenna systems. However, with the ability 
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to provide diversity gain and/or multiplexing gain, multiple- 
input multiple-output (MIMO) techniques will be widely de- 
ployed in future wireless networks, e.g. IEEE 802.11 n, to 
improve traffic capacity and link quality [6], Therefore, in this 
paper, we extend the analysis of channel-based authentication 
to MIMO systems, and investigate the impact of MIMO 
techniques on the performance of spoofing detection. 

We note that the channel-based authentication is used to 
discriminate among different transmitters, and must be com- 
bined with a traditional handshake authentication process to 
completely identify an entity. We assume that an entity's 
identity is obtained at the beginning of a transmission using 
traditional higher layer authentication mechanisms. Channel- 
based authentication is then used to ensure that all signals in 
both the handshake process and data transmission are actually 
from the same transmitter. Thus this may be viewed as a cross- 
layer design approach to authentication. 

We begin the paper by describing the system model in 
Section [jl] including the attack model and channel estimation. 
Then we present our MIMO-assisted channel-based authen- 
tication scheme in Section [TTIJ In Section IIV1 we describe 
the simulation approach and present simulation results. We 
conclude in SectionlVlwith a discussion of the effect of MIMO 
transmission parameters on the authentication performance. 
We also contrast the diversity/multiplexing gains with the 
security gain. 



II. System Model 



A. Attack Model 



Throughout the discussion, we introduce three different 
parties: Alice, Bob and Eve. As shown in Fig. Q] they are 
assumed to be located in spatially separated positions. Alice 
is the legal client with Nt antennas, initiating communication 
by sending signals to Bob. As the intended receiver, Bob is 
the legal access point (AP) with Nr antennas. Their nefarious 
adversary, Eve, will inject undesirable communications into 
the medium with Ne antennas, in the hopes of impersonating 
Alice. 

In order to obtain the multiplexing gain associated with 
multiple antennas, the channel state information must be 
known at receivers [7]. Thus we assume that legal transmitters 
send non-overlapping pilots from Nt antennas, and Bob uses 
it to estimate channel responses, for non-security purposes. In 
the authentication process, Bob tracks the channel responses 
to discriminate between legitimate signals from Alice and 
illegitimate signals from Eve. 
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Fig. 1. The adversarial multipath environment involving multiple scattering 
surfaces. The transmission from Alice with Nt antennas to Bob with Nr 
antennas, experiences different multipath effects than the transmission by the 
adversary, Eve. Bob uses pilot symbols to estimate channel responses from 
the transmitters, and thus discriminate between Alice and Eve. 



B. Channel Estimation Model 

A legal transmission from Alice to Bob in Fig. [T] will 
involve a MIMO system with Nt transmit (Tx) antennas and 
Nr receive (Rx) antennas. Bob measures and stores channel 
frequency response samples at M tones, across an overall 
system bandwidth of W, where each subband has bandwidth 
b (< W/M), and the center frequency of the system is Jo- 

We consider channel frequency responses for two frames, 
which may or may not come from the same transmitter, and 
denote them by 

Hi = ^(1,1)^(1, 2),- •• ,H i (N T ,N a )] T , t = l,2, 

(1) 

where HJjt.ir) = [#i,i(jt, >),•••> H itM (jt,jr)] T , 1 < 
it < N T , 1 < j r < Nr, and H itm (j t ,j r ) = Hi(j t ,j r J + 
W(m/M — 0.5)) is the channel response at the rn-th tone in 
the i-th frame, connecting the jt-th Tx antenna and j r -th Rx 
antenna. The NtNrM elements in are independent and 
identically distributed. 

In a real receiver, the phase of the local oscillator changes 
with time, leading to a phase measurement rotation of the 
underlying channel responses. The phase shifts are the same 
in channel estimations of Nr antennas, since the antennas 
are connected to the same receiver oscillator. Considering 
the phase rotation and receiver thermal noise, we model the 
estimated channel frequency response as 



H, = II,' 



N,; 



(2) 



where £ [0, 27r) denotes the unknown phase measurement 
rotation, and Nj is the receiver thermal noise vector with 
NtNrM elements, which are independent and identically 
distributed complex Gaussian random variables, CW(0,<7 2 ). 

The noise variance, a 2 , is defined as the receiver noise 
power per tone, Pjy = nTNpb, divided by the transmit power 
per tone per transmit antenna, Pt/Nt, i.e., 

2 N t Pn N T nTN F b 



Pt 



Pi 



(3) 



where Pt is the transmit power per tone, kT is the thermal 
noise density in mW/Hz, Np is the receiver noise figure, and 
b is the measurement noise bandwidth per tone (equals to the 
subband bandwidth). The signal-to-noise ratio (SNR) in the 
channel estimation per tone is defined as 

PtE[\\HA\%} 



SNR 



(4) 
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where the expected value is taken over all the channel realiza- 
tions at locations of interests, and 1 1 A\ \f denotes the Frobenius 
norm of the matrix A. 

III. MIMO-Assisted Authentication 

MIMO-assisted channel-based authentication compares 
channel frequency responses at consecutive frames. Assuming 
stationary terminals and time-invariant channels, we should 
report spoofing attacks if channel responses from the same 
user are significantly different in two frames. 

MIMO techniques introduce an extra benefit to spoofing 
detection. Considering the Alice-Bob-Eve attack model in Fig. 
[U if Eve does not know the number of transmit antennas 
at Alice, Nt, she has to predict Nt. If Eve has the wrong 
prediction, or she simply does not have Nt antennas, Bob 
will foil her with certainty, based on the messed up channel 
estimation and data decoding results. In other words, Eve has 
a chance of fooling Bob only if she knows Nt and uses 
Nt transmit antennas, as is our assumption in the following 
discussions. 

A. Hypothesis Testing 

Assuming Bob obtains channel responses of Hi and H2, 
respectively, for two frames with the same identity, we build a 
simple hypothesis test for the purpose of transmitter discrim- 
ination. In the null hypothesis, Ho, two estimates are from 
the same terminal, and thus the claimant is the legal user. 
Otherwise, Bob accepts the alternative hypothesis, fix, and 
claims that a spoofing attack has occurred, i.e., the claimant 
terminal is no longer the previous one: 

Ho ■ Hi = H 2 (5) 

Hx : Hi + H 2 . (6) 

2 are unknown, Bob chooses the pair- 
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wise test statistic as 
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(7) 



(8) 



In the high SNR region, where the proposed scheme must 
perform, it is easy to show that, under Ho, we have 



Al|Ni-N 2 | 



(9) 



indicating that L is approximately a Chi-square variable with 
S = 2NtNrM degrees of freedom. Otherwise, when Hi is 
true, L is a non-central Chi-square variable, given by 
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where the non-centrality parameter, /i, is written as 

/ i=-^-||H 1 -H 2 e^ H 1 H ?)|| 2 . (11) 

For fixed Pp, the dimension of H; is proportional to MNr, 
and thus /i rises with both Nr and M. On the other hand, 
the impact of Nt is more complex, depending on the specific 
value of Hi, H 2 , and Pt- 

The rejection region of 7i is defined as L < k, where 
k is the test threshold, which is selected according to an 
appropriate performance target. 

B. Performance Criteria 

Given a building environment and terminal locations, we 
derive the performance of MIMO-based spoofing detection, 
averaged over all realizations of receiver thermal noise. From 
Eq. (0, we can write the "false alarm rate" (or Type I error) 
for a given k as 

a = Pr(L>k\H ) = l-F x 2 s (k), (12) 

where Fx(-) is the CDF of the random variable X. Similarly, 
from Eq. ( [Tol l, the "miss detection rate" (or Type II error) for 
given k is given by 

(3 = Pr(L < k\Hi) = (k), (13) 

Sit 1 - 

indicating that a rises with k, while (3 decreases with it. By 
Eq. (fT2l and dl3l >. we have the miss rate for given false alarm 
rate as 

/3(a) = F X% (F- 2 \l-a)), (14) 

where F^ 1 ^) is the inverse function of Fx( )- From Eq. (fTTT i 
and (O, we see the miss rate decreases with Pr, since higher 
transmit power allows for more accurate channel estimation. 

We will investigate the security gain of MIMO techniques 
in our channel-based authentication scheme. For given a, it 
is defined as the relative decrease of /3(a), if replacing single 
antenna systems with multiple antenna systems, i.e., 

0MIMo(oi) 

where (3 si so an d Pmimo aie the miss rates in the single 
antenna systems and multiple antenna systems, respectively. 

C. Performance Discussion 

The use of multiple antennas has a two-fold impact: it 
improves security performance by increasing the frequency 
sample size from 2M to 2MNtNr. On the other hand, the 
use of multiple transmit antennas reduces the transmit power 
per antenna, leading to performance loss of some degree. 

Note that the frequency sample size, M e [1,M S ], is 
selected for security purposes, where M s (> M), the total 
number of subbands, is determined by non-security issues such 
as data decoding accuracy. The average transmit power per 
tone is determined by M s , with Pr = Ptotai/M s , where Ptotai 
is the total system transmit power. Hence, Pr is independent 
of any other parameters mentioned, and we assume constant 
Pt in the comparison of system configurations. 



In wideband systems, b is fixed and the detection perfor- 
mance improves with W, since channel responses decorrelate 
more rapidly in space with higher system bandwidth. From 
®, ( fTTT i. and ( [Pil l, we see that (3 increases with b, since the 
power of measurement noise is proportional to b. As will be 
shown later, the optimal choice for wideband systems is to set 
M = M s . 

In narrowband systems, however, since W < B c , where 
B c is the channel coherence bandwidth, we set M = 1 and 
W = b. As a result, the detection performance improves as 
system bandwidth W — b decreases, as can be inferred from 
Eq. ©, CU), and JQ. 

IV. Simulation and Numerical Results 

A. Simulation Method 

The WiSE tool, a ray-tracing software package developed by 
Bell Laboratories [8], was used to model not only typical chan- 
nel responses, but the spatial variability of these responses. 
One input to WiSE is the 3-dimensional plan of a specific 
building, including walls, floors, ceilings and their material 
properties (e.g., dielectric coefficient and conductivity). With 
this information, WiSE calculates the rays at any receiver from 
any transmitter, including their amplitudes, phases and delays. 
From this, it is straightforward to construct the transmit- 
receive frequency response over any specified interval. 

We have done this for a typical office building, for which 
a top view of the first floor is shown in Fig. |2] This floor 
of this building is 120 meters long, 14 meters wide and 4 
meters high. For our numerical experiment, we placed the 
access point (AP) in the hallway at [45.6, 6.2, 3.0] m. For the 
positions of transmitters, we considered a 12 m x 67 m area, 
shown as outlined with a dashed line in the figure. We assumed 
all transmitters are at a height of 2 m, being anywhere on a 
uniform horizontal grid of 405 points with 1.5-meter spacing. 

We randomly chose 2 points within the 12 m x 67 m 
area as the legal and spoofing nodes. For each scenario, (1) 
WiSE was used to generate channel impulse responses for 
the 2 nodes; and (2) the hypothesis test described above was 
used to compute (3, for given a, by Eq. (fT4l . We repeated the 
experiment 405 x 404/2 = 81810 times, and computed the 
average miss rate, for each system configuration. 

B. Simulation Results 

In the simulations, we consider MIMO, single-input 
multiple-output (SIMO), multiple-input single-output (MISO), 
and single-input single-output (SISO) systems, with seperation 
of two neighboring antennas of 3 cm (i.e., half wavelength), 
a = 0.01, f = 5 GHz, N F = 10, b = 0.25 MHz, and 
Pt £ {0.1,1,10} mW, if not specified otherwise. The per 
tone SNR ranges from -16.5 dB to 53.6 dB, with a median 
value of 16 dB, using transmit power per tone Pr = 0.1 mW, 
b = 0.25 MHz, and N T = N R = l. 

Figure [3] shows that the average miss rate decreases with 
the frequency sample size, M, with W = 20 MHz, indicating 
that we should use all of the channel estimation data and set 
M = M 8 . In addition, it can be seen that the security gain of 
MIMO, defined by Eq. ([T5T l. decreases with M, when Pt > 
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Fig. 2. System topology assumed in the simulations. The receiver is located 
at [45.6, 6.2, 3.0] m in a 120 m X 14 m X 4 m office building. The antenna 
distance is half wavelength (3 cm). All transmitters, including both legal 
transmitters and spoofing nodes, are located on dense grids at a height of 
2 m. The total number of samples in the grids is 405. 





Fig. 4. Average miss rate of spoofing detection for various configuration of 
N T and N R , with a = 0.01, M = 3, P T G {0.1, 1} mW, b = 0.25 MHz, 
and W = 2 MHz. 



Fig. 3. Average miss rate of spoofing detection in wideband systems, in 
SISO, 2x1 MISO, 1x2 SIMO, and 2 X 2 MIMO systems, respectively, with 
a = 0.01, M = 5, b = 0.25 MHz, W = 20 MHz, and P T £ {0.1, 1, 10} 
mW. 




0.1 mW. For instance, G{P T = 1 mW, M = 1) = (0.09 - 
0.01)/0.01 = 8, is greater than G{P T = 1 mW, M = 10) = 
1.7. If using high power and small M (e.g., M = 1), the SISO 
system has accurate but insufficient channel response samples. 
Thus the additional dimensions of channel samples in MIMO 
systems allow for much better performance. On the contrary, if 
using high Pt and large M, the performance of SISO systems 
is too good to be significantly improved. 

We can also see that the security gain slightly rises with M, 
when Pt is as low as 0.1 mW, e.g., G(Pt = 0.1 mW, M = 
1) < G(P T = 0.1 mW, M = 10). This observation arises, 
because when the channel estimation is not accurate due to 
low SNR, the systems need much more data to make a right 
decision. 

Similarly, the impact of Pt on the MIMO security gain 
also depends on the value of M: The gain rises with Pt, 
under small M, e.g., G(P T = 10 mW,M = 1) > G(P T = 



Fig. 5. Average miss rate of spoofing detection in wideband systems, given 
false alarm rate of 0.01, in SISO, 2x1 MISO, 1x2 SIMO, and 2 X 2 
MIMO systems, respectively, with a = 0.01, M = 4, b = 0.25 MHz, and 
P T £ {0.1, 1, 10} mW. 



0.1 mW, M = 1). Otherwise, under large M, the security 
gain decreases with Pt, e.g., G(Pt = 10 mW, M = 10) < 
G{P T = 0.1 mW,M = 10). 

Next, Fig. [4] indicates that the miss rate decreases with Nr, 
and the security gain of Nr decreases with Nr. On the other 
hand, the impact of multiple (iVy) transmit antennas on the au- 
thentication performance is determined by parameters like Pt, 
M, and Nr, since the use of more transmit antennas reduces 
the transmit power per antenna, while providing additional 
channel estimation samples. For instance, with Pt — {0.1 
mW, 1 mW} and M = 3, the miss rate decreases with Nt, 
under Nr = 1, while it rises with Nt, under Nr, > 1. 

As discussed in Section IIII-CI Fig. [5] shows that the miss 
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Fig. 6. Average miss rate of spoofing detection in narrowband systems, given 
false alarm rate of 0.01, in SISO, 2x1 MISO, 1x2 SIMO, and 2x2 MIMO 
systems, respectively, with a = 0.01, M = 1, Pt = 0.1 mW, and b = W. 



rate decreases with system bandwidth, W, since the M = 4 
channel samples are less correlated with wider bandwidth. On 
the other hand, the MIMO security gain decreases with W, 
as the miss rate in SISO systems decreases more rapidly with 
W than that in MIMO systems. It is also shown that SIMO is 
better than MIMO, under large W. 

Finally, the detection performance in narrowband systems 
is presented in Fig. [6] with b ranging between 250 Hz and 250 
kHz. Since a larger noise bandwidth decreases SNR, it raises 
the miss rate and reduces the MIMO security gain. 

V. Summaries & Discussion 

We have proposed a MIMO-assisted channel-based authen- 
tication scheme, exploiting the spatial decorrelation property 
of the wireless medium to detect spoofing attacks. We pre- 
sented the average miss detection rate, for a given false alarm 
rate of 0.01, and evaluated the security gain (defined as the 
improvement in authentication performance over SISO sys- 
tems, Eq. $15[ ) for different MIMO transmission parameters. 
We had the following observations: 

• The MIMO security gain decreases with the system band- 
width (W), because the SISO system provides sufficient 
decorrelation at high bandwidth, making resolution of 
Alice and Eve better. 

• The MIMO security gain decreases with the noise band- 
width (6) in narrowband systems, since the noise power is 
larger there by affecting the estimation of MIMO channel 
parameters. 

• The MIMO security gain decreases with the frequency 
sample size (M), if the transmit power (Pt) is as large as 
1 mW. If using high power and small M, the SISO system 
has accurate but insufficient channel response samples. 
Thus the additional dimensions of channel samples in 
MIMO systems allow for much better performance. On 
the contrary, if using high Pt and large M, the perfor- 



mance of SISO systems is too good to be significantly 
improved. 

On the other hand, the MIMO security gain slightly rises 
with M, if Pt is as small as 0.1 mW. This is because 
when the channel estimation is not accurate due to low 
SNR, the systems need much more data to make a right 
decision. 

« Similarly, the MIMO security gain rises with Pt, under 
small M (e.g., M = 1). Otherwise, it decreases with Pt, 
under large M (e.g., M = 10). 
We can also compare the security gain with the MIMO 
diversity gain, as a function of the number of transmit and 
receive antennas. It is well known that the diversity gain rises 
with both the number of transmit antennas and the number of 
receive antennas. We have found that 

• The use of multiple (i.e., /Vr > 1) receive antennas 
improves the detection of spoofing attacks. This is a 
case where both the security gain and the diversity gain 
increase due to additional receive antennas. 

• On the other hand, the security gain by using multiple 
(i.e., Nt > 1) transmit antennas may be positive or 
negative, based on the value of Pt, M, and Nr, since 
the transmit power per antenna decreases with Nt, while 
more transmit antennas provide extra channel estimation 
samples. This is a case where the security gain sometimes 
decreases but the diversity gain always rises due to 
additional transmit antennas. 

Thus the MIMO-assisted channel-based authentication 
schemes provide a wide range of parameter choices and 
performance tradeoffs that have to be considered in the context 
of both security gains and MIMO performance gains. 
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